Wednesday, April 27, 2011

Running Auxiliary Modules Against Multiple Hosts the Smart Way Part 2


In the previous post I talked about using the db_service -R to use the information in your database/workspace to throw an auxiliary module at hosts that had port 443 open.

Let's take this one step further...and throw multiple aux modules against the hosts that have port 80 open.

I'm going to use a resource script to do this. The cool thing about resource scripts is that you dont have to do them just at startup. You can do them anytime on the console.

msf auxiliary(options) > resource
Usage: resource path1 path2 ...

Run the commands stored in the supplied files.


In this case i want to run two modules against every port that has 80 open. Here's some code to do it:


set THREADS 10

[ruby] **#replace [ and ] with their respective "<" or ">"**'

#start with an array to hold our modules we want to run
modules = [
"auxiliary/scanner/http/http_version",
"auxiliary/scanner/http/options",]

#another array for our hosts
hosts = []
framework.db.services.each do |service|
if service.port == 443
hosts << service.host.address
end
end

#loop through each module in the list
modules.each do |blah|
self.run_single("use #{blah}")
puts ("\nRunning Auxiliary Module #{blah}")
#for each host with 443 open, set appropriate configs and run the module against it
hosts.each do |rhost|
self.run_single("set RHOSTS #{rhost}")
self.run_single("set RPORT 443") #change to the port above
self.run_single("set SSL TRUE")
self.run_single("run")
end
end
[/ruby] **#replace [ and ] with their respective "<" or ">"**


Running it:

msf auxiliary(options) > resource /home/user/.msf3/aux_do_dbhosts.rc
resource (/home/user/.msf3/aux_do_dbhosts.rc)> set THREADS 10
THREADS => 10
[*] resource (/home/user/.msf3/aux_do_dbhosts.rc)> Ruby Code (962 bytes)

Running Auxiliary Module auxiliary/scanner/http/http_version
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.106
RPORT => 443
SSL => TRUE
[*] 192.168.1.106 nginx/0.6.32 ( 302-http://192.168.1.106/ )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.107
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.135
RPORT => 443
SSL => TRUE
[*] 192.168.1.135 Apache/2.2.11 (Ubuntu) mod_ssl/2.2.11 OpenSSL/0.9.8g Phusion_Passenger/2.2.15 ( Powered by Phusion Passenger (mod_rails/mod_rack) 2.2.15 )
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.168
RPORT => 443
SSL => TRUE
[*] 192.168.1.168 Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_wsgi/1.3
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.229
RPORT => 443
SSL => TRUE
[*] 192.168.1.229 Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.3.2-0.dotdeb.1 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.2 Perl/v5.8.8 ( Powered by PHP/5.3.2-0.dotdeb.1 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running Auxiliary Module auxiliary/scanner/http/options
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.100
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
...SNIP...YOU GET THE IDEA...


-CG

thanks to hdm and jcran
CG

2 comments:

dre said...

A few thoughts on this: AWESOME.

Ok, so basically one needs to create resource script files for each service (e.g. DNS, FTP, HTTP, SSL/TLS, LDAP/AD, SNMP, SMTP, POP, IMAP, SMB/NetBIOS/MSRPC, SIP, SSH, VNC, Telnet/Rservices/X11, TFTP, NTP, and specific database server types) and run the appropriate scanner scripts (note that ftpbounce is in portscan and not scanner for some reason) after loading them in msfconsole with the resource directive.

I'm curious if this is a series of posts, and what will be next!?

CG said...

that's all I got right now